1 / 49

Oded Regev Tel-Aviv University

On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. Oded Regev Tel-Aviv University. Introduction to lattices Main theorem: a hard learning problem Application: a stronger and more efficient public key cryptosystem Proof of main theorem Overview

hermanwest
Download Presentation

Oded Regev Tel-Aviv University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Oded Regev Tel-Aviv University

  2. Introduction to lattices • Main theorem: a hard learning problem • Application: a stronger and more efficient public key cryptosystem • Proof of main theorem • Overview • Part I: Quantum • Part II: Classical Outline

  3. Lattices • Basis: • v1,…,vn vectors in Rn • The lattice L is • L={a1v1+…+anvn| ai integers} • The dual lattice of L is • L*={x | 8 y2L, hx,yi2 Z} v1+v2 2v2 2v1 2v2-v1 v1 v2 2v2-2v1 0

  4. Shortest Vector Problem (SVP) • SVP: Given a lattice, find an approximately shortest vector v2 v1 0

  5. Closest Vector Problem (CVPd) v • CVPd: Given a lattice and a target vector within distance d, find the closest lattice point 0

  6. Main TheoremHardness of Learning

  7. Let s2Z2n be a secret • We have random equations modulo 2 with error (everything independent): • Without error, it’s easy! s2+s3+s4+ s6+…+sn0 s1+s2+ s4+ s6+…+sn1 s1+ s3+s4+s5+ …+sn1 s2+s3+s4+ s6+…+sn0 . . . Learning from parity with error

  8. More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Z2nand e is a bit that is 1 with probability 10%. • Easy algorithms need 2O(n) equations/time • Best algorithm needs 2O(n/logn) equations/time [BlumKalaiWasserman’00] • Open question: why is this problem so hard? Learning from parity with error

  9. Fix some p<poly(n) • Let s2Zpn be a secret • We have random equations modulo p with error: 2s1+0s2+2s3+1s4+2s5+4s6+…+4sn2 0s1+1s2+5s3+0s4+6s5+6s6+…+2sn4 6s1+5s2+2s3+0s4+5s5+2s6+…+0sn2 6s1+4s2+4s3+4s4+3s5+3s6+…+1sn5 . . . Learning modulo p

  10. More formally, we need to learn s from samples of the form (t,st+e) where t is chosen uniformly from Zpn and e is chosen from Zp • Easy algorithms need 2O(nlogn) equations/time • Best algorithm needs 2O(n) equations/time [BlumKalaiWasserman’00] Learning modulo p

  11. Learning modulo p is as hard as worst-case lattice problems using a quantum reduction • In other words: solving the problem implies an efficient quantum algorithm for lattices Main Theorem

  12. For m=poly(n), let C be a random m£n matrix with elements in Zp. Given Cs+e for some sZpn and some noise vector eZpm, recover s. • This is the problem of decoding from a random linear code Equivalent formulation

  13. As part of the reduction, we need to perform a certain algorithmic task on lattices • We do not know how to do it classically, only quantumly! Why Quantum?

  14. We are given an oracle that solves CVPd for some small d • As far as I can see, the only way to generate inputs to this oracle is: • Somehow choose xL • Let y be some random vector within dist d of x • Call the oracle with y • The answer is x. But we already know the answer !! • Quantumly, being able to compute x from y is very useful: it allows us to transform the state |y,x> to the state |y,0> reversibly (and then we can apply the quantum Fourier transform) Why Quantum? x y

  15. Application:New Public Key Encryption Scheme

  16. Main advantages: • Based on a lattice problem • Worst-case hardness • Main disadvantages: • Based only on unique-SVP • Impractical (think of n as100): • Public key size O(n4) • Encryption expands by O(n2) Previous lattice-based PKES[AjtaiDwork96,GoldreichGoldwasserHalevi97,R’03]

  17. Main advantages: • Practical (think of n as100): • Public key size O(n) • Encryption expands by O(n) • Main disadvantages: • Not based on lattice problem • No worst-case hardness Ajtai’s recent PKES [Ajtai05]

  18. Main advantages: • Worst-case hardness • Based on the main lattice problems (SVP, SIVP) • Practical (think of n as100): • Public key size O(n) • Encryption expands by O(n) • Breaking the cryptosystem implies an efficient quantum algorithm for lattices • In fact, security is based on the learning problem (no quantum needed here) quantum New lattice-based PKES[This work]

  19. Everything modulo 4 • Private key: 4 random numbers 1203 • Public key: a 6x4 matrix and approximate inner product • Encrypt the bit 0: • Encrypt the bit 1: 3·? + 2·? + 1·? + 0·? ≈1 The Cryptosystem 2·1 + 0·2 + 1·0 + 2·3 ≈1 1·1 + 2·2 + 2·0 + 3·3 ≈2 0·1 + 2·2 + 0·0 + 3·3 ≈1 1·1 + 2·2 + 0·0 + 2·3 ≈0 0·1 + 3·2 + 1·0 + 3·3 ≈3 3·1 + 3·2 + 0·0 + 2·3 ≈2 2 0 1 2 1 2 2 3 0 2 0 3 1 2 0 2 0 3 1 3 3 3 0 2 2·? + 0·? + 1·? + 2·? ≈1 1·? + 2·? + 2·? + 3·? ≈2 0·? + 2·? + 0·? + 3·? ≈1 1·? + 2·? + 0·? + 2·? ≈0 0·? + 3·? + 1·? + 3·? ≈3 3·? + 3·? + 0·? + 2·? ≈2 2·1 + 0·2 + 1·0 + 2·3 =0 1·1 + 2·2 + 2·0 + 3·3 =2 0·1 + 2·2 + 0·0 + 3·3 =1 1·1 + 2·2 + 0·0 + 2·3 =3 0·1 + 3·2 + 1·0 + 3·3 =3 3·1 + 3·2 + 0·0 + 2·3 =3 3·? + 2·? + 1·? + 0·? ≈3

  20. Proof of the Main TheoremOverview

  21. Define a Gaussian distribution on a lattice (normalization omitted) • We can efficiently sample from Dr for large r=2n Gaussian Distribution

  22. Assume the existence of an algorithm for the learning modulo p problem for p=2√n • Our lattice algorithm: • r=2n • Take poly(n) samples from Dr • Repeat: • Given poly(n) samples from Dr compute poly(n) samples from Dr/2 • Set r←r/2 • When r is small, output a short vector The Reduction

  23. Dr

  24. Dr/2

  25. Lemma 1: • Given poly(n) samples from Dr, and an oracle for ‘learning modulo p’, we can solve • CVPp/r in L* • No quantum here  • Lemma 2: • Given a solution to CVPd in L*, we can obtain samples from D√n/d • Quantum  • Based on the quantum Fourier transform p=2√n Obtaining Dr/2 from Dr

  26. Classical, uses learning oracle Quantum Samples from Drin L Solution to CVPp/rin L* Samples from Dr/2 in L Solution to CVP2p/rin L* Samples from Dr/4in L Solution to CVP4p/rin L*

  27. Fourier Transform Primal world (L) Dual world (L*)

  28. The Fourier transform of Dr is given by • Its value is • 1 for x in L*, • e-1 at points of distance 1/r from L*, • ¼0 at points far away from L*. Fourier Transform

  29. Proof of the Main TheoremLemma 2: Obtaining D√n/d from CVPd

  30. Assume we can solve CVPd; we’ll show how to obtain samples from D√n/d • Step 1: • Create the quantum state • by adding a Gaussian to each lattice point and uncomputing the lattice point by using the CVP algorithm From CVPd to D√n/d

  31. Step 2: • Compute the quantum Fourier transform of • It is exactly D√n/d !! • Step 3: • Measure and obtain one sample from D√n/d • By repeating this process, we can obtain poly(n) samples From CVPd to D√n/d

  32. More precisely, create the state • And the state • Tensor them together and add first to second • Uncompute first register by solving CVPp/r From CVPd to D√n/d

  33. Proof of the Main TheoremLemma 1: Solving CVPp/r given samples from Dr and an oracle for learning mod p

  34. Lemma: being able to approximate fp/r implies a solution to CVPp/r • Proof Idea – walk uphill: • fp/r(x)>¼for points x of distance < p/r • Keep making small modifications to x as long as fp/r(x) increases • Stop when fp/r(x)=1 (then we are on a lattice point) It’s enough to approximate fp/r

  35. For warm-up, we show how to approximate f1/r given samples from Dr • No need for learning • This is main idea in [AharonovR’04] • Then we show how to approximatef2/r given samples from Dr and an oracle for the learning problem • Approximatingfp/r is similar What’s ahead in this part

  36. Let’s write f1/r in its Fourier representation: • Using samples from Dr, we can compute a good approximation to f1/r (this is the main idea in [AharonovR’04]) Warm-up: approximating f1/r

  37. Consider the Fourier representation again: • For x2L*, hw,xi is integer for all w in L and therefore we get f1/r(x)=1 • For x that is close to L*, hw,xi is distributed around an integer. Its standard deviation can be (say) 1. Fourier Transform

  38. Main idea: partition Dr into 2n distributions • For t(Z2)n, denote the translate t by Dtr • Given a lattice point we can compute its t • The probability on (Z2)n obtained by sampling from Dr and outputting t is close to uniform 0,0 0,1 1,0 1,1 Approximating f2/r

  39. Hence, by using samples from Dr we can produce samples from the following distribution on pairs (t,w): • Sample t(Z2)n uniformly at random • Sample w from Dtr • Consider the Fourier transform of Dtr Approximating f2/r

  40. The functions ft2/r look almost like f2/r • Only difference is that some Gaussians have their sign flipped • Approximating ft2/r is enough: we can easily take the absolute value and obtain f2/r • For this, however, we need to obtain several pairs (t,w) for the same t • The problem is that each sample (t,w) has a different t ! Approximating f2/r

  41. Fix x close to L* • The sign of its Gaussian is ±1 depending on hs,ti mod 2 for s(Z2)n that depends only on x • The distribution of x,w mod 2 when w is sampled from Dtr is centred around s,t mod 2 • Hence, we obtain equations modulo 2 with error: Approximating f2/r hs,t1i ¼dhx,w1ic mod 2 hs,t2i ¼dhx,w2ic mod 2 hs,t3i ¼dhx,w3ic mod 2 . . .

  42. Using the learning algorithm, we solve these equations and obtain s • Knowing s, we can cancel the sign • Averaging over enough samples gives us an approximation to f2/r Approximating f2/r

  43. Dequantize the reduction: • This would lead to the ‘ultimate’ lattice-based cryptosystem (based on SVP, efficient) • Main obstacle: what can one do classically with a solution to CVPd? • Construct even more efficient schemes based on special classes of lattices such as cyclic lattices • For hash functions this was done by Micciancio Open Problems 1/4

  44. Extend to learning from parity (i.e., p=2) or even some constant p • Is there something inherently different about the case of constant p? • Use the ‘learning mod p’ problem to derive other lattice-based hardness results • Recently, used by Klivans and Sherstov to derive hardness of learning problems Open Problems 2/4

  45. Open Problems 3/4 • Cryptanalysis • Current attacks limited to low dimension [NguyenStern98] • New systems [Ajtai05,R05] are efficient and can be easily used with dimension 100+ • Security against chosen-ciphertext attacks • Known lattice-based cryptosystems are not secure against CCA

  46. Open Problems 4/4 • Comparison with number theoretic cryptography • E.g., can one factor integers using an oracle for n-approximate SVP? • Signature schemes • Can one construct provably secure lattice-based signature schemes?

More Related